Hardening VM for Malware Analysis

Dear Security Experts,

I starting out in Malware Research / Malware Analysis. I am reading a book Practical Guide to Malware Analysis, which touches this in 2nd chapter, before approaching Dynamical Analysis (malware detonation). However, it mentions 2 options for Virtualization approach.

  1. One is to set Network Adapter to Host-Only. That way it should isolate VM from Network, but still have access to it via Host – not sure though how that works though.

  2. They mention a multi VM setup where one VM is set for Services and other for Analysis and both are joined to same Custom VMNet.

My problem is that there are no step-by-step instructions on how to do this, so I am hopping to get answers here. My most curious questions is: Is setting Network Adapter to Host-Only the only thing to do to isolate the VM for Malware Analysis? Because many sites I googled mention just this (and also taking snapshots etc.).

Thanks.

CIS hardening of alpine based docker container

I’ve got a service running inside a docker container. I’ve built my own image based on nginx:stable-alpine docker image.

I am trying to ascertain whether the concept of CIS hardening applies to the container itself or just the host OS where the container is running. (I am not interested in the host itself as that is already CIS hardened by the hosting provider)

Had a couple of suggestions such as https://github.com/docker/docker-bench-security and https://github.com/dev-sec/cis-docker-benchmark but these again only seem to apply to the Host OS where docker is running. the nginx alpine image does for example contain some sample confs and html which should be removed according to CIS hardening rules.

Are there any scripts or tools i can run that can report on whether there are other aspects of the container that need to be hardened in the Dockerfile to ensure the container is CIS compliant? ideally i’d like to avoid having to prove every point in the CIS hardening spec manually. I have found this but its 3 years old script and i cant be confident that its maintained.

Debian 9 file system CIS-CAT hardening issues

I’m performing a CIS-CAT scan and I’m questioning the results of the scanner being poorly designed. Now I am running on Debian 9 which isn’t officially supported by the scanner but I can get it to run and I’ve implemented 95% of their requirements and can successfully scan using the following command:

sudo ./CIS-CAT.sh -f -D ignore.platform.mismatch=true -D include.csv.remediation=true -csv 

/bin has permissions of drwxr-x–x and they want me to remove execute for other, however if I "chmod o-x /bin" then a regular user cannot execute standard commands like "ls" Is there a different approach to this?

Same thing with the following: /dev /var/cache/man /run/systemd /run/dbus /run/sshd 

which have permissions of drwxr-xr-x. CIS-CAT wants me to remove other read and execute but it’s permissions get reset on reboot.